Domain Abuse Reporting

Patrick Jones Senior Director, ICANN

April 2019 Netnod Spring Meeting Introductions

• 13 years at ICANN, including 5 in ICANN Security team

• ICANN Office of the CTO leads the DAAR project

| 2 | 3 Domain names are often abused for fraudulent purposes online

| 4 Therefore …

• A growing need for proactive detection and mitigation strategies by providers

Currently:

• Lack of knowledge about abuse concentrations in networks

• Lack of knowledge about how providers perform in comparison to their peers

| 5 Abuse Monitoring?

Abuse not monitored mainly because: ¡ Thin profit margins, monitoring not seen as value given costs ¡ No unified methodology for abuse monitoring/reporting ¡ Mainly not enough incentives to monitor abuse

| 6 Domain Abuse Activity Reporting (DAAR)

| 7 The Domain A system for reporting on domain Abuse Activity name registration and abuse data across TLD registries and Reporting registrars System

| 8 How does this differ from other reporting systems?

• Studies all gTLD registries and registrars for which we can collect zone and registration data

• Allows for historical research

• Studies multiple threats: , botnet, malware, and spam

• Employs a large set of abuse feeds (e.g., blocklists)

• Takes a scientific approach: transparent, reproducible

| 9 DAAR project data can be used to

§ Study malicious registration behaviors § Report on threat activity at TLD or registrar level § Study historical security threats or domain registration activity § Assist operational security communities and academic research § Help operators understand or consider how to manage their reputations, anti-abuse programs, or terms of service

More informed security decision making and policy

| 10 DAAR Methodology & Data

| 11 Data Sources

I. DNS zone data II. WHOIS data III. Open source or commercial abuse threat (RBL) data*

*Certain data feeds require a license or subscription

| 12 Methodology

CZDS

List of Resolved Domains DAAR Reputation Metrics per 1 Registries and Registrars

TLD 1 TLD 2

2 DNS Zone Data 3

WHOIS Blacklist/Blocklist

| 13 • Uses • Publicly available methods Centralized Zone Data Service (CZDS) i. DNS Zone • Resolved domain names in zone files Data • Collects • Approximately 1220 gTLDs • Approximately 194 million domains

| 14 ii. WHOIS

§ DAAR uses § published WHOIS registration data § Registrar name and IANA ID

§ Current challenges § Reliable, accurate registrar reporting depends on WHOIS § Scaling data collection

| 15 DAAR uses multiple abuse Reputation Blocklist (RBL) datasets to generate

• Daily raw counts of domains associated with iii) Abuse Threat abuse Data • Daily total and cumulative percentage abuse domains • Calculate monthly/yearly newly added abuse domains • Visual analytics regarding abuse trends

| 16 • DAAR counts “unique” abuse domains iii) Abuse Threat • A domain that appears on any abuse datasets reporting to Data DAAR is included in the counts once

| 17 Reputation Block Lists : Identifying Threats

| 18 Security Threat Types

DAAR collects domain data for

¡ Phishing ¡ Malware ¡ Spam ¡ Botnet Command & Control

| 19 DAAR Criteria for Reputation Blocklist Data Selection

• Threat classification that matches our set of security threats

• Positive reputation in academic literature, in operational and security communities for accuracy, clarity of process

• Broadly adopted across operational security community • Incorporated into commercial security systems • Used by network operators • Used by email and messaging providers

| 20 • RBLs in Browsers

• RBLs in the Cloud and Content-Serving Systems Other • RBLs in Your Tools • RBLs in the DNS

Reputation • RBLs in commercial firewalls, UTM Block List devices • RBLs in enterprise mail/messaging Uses systems • RBLs and Third-Party Email Service Providers (ESPs)

| 21 Is DAAR an Abuse List Service?

§ ICANN does not compose its own reputation blocklists § DAAR presents a composite of the data that external entities use to block threats

§ DAAR collects the same abuse data that is reported to industry and Internet users and is used by § Commercial security systems § Academia and industry

§ Academic studies and industry use validate these datasets exhibit accuracy, global coverage, reliability and low false positive rates

| 22 Does DAAR Identify All Abuse Data/Types?

§ No. DAAR lists domain names associated with abuse identified by third parties. § Only those names associated with generic TLDs are measured and only for specific abuse types.

| 23 Current Reputation Datasets

Domains only

§ SURBL lists (Spam – Phishing - Malware) § Spamhaus Domain Block List (Spam - Phishing - Malware - Botnet C&C) § Anti-Phishing Working Group (Phishing) § Malware Patrol (Malware, Ransomware, Botnet C&C ) § Phishtank (Phishing domains) § ABUSE.CH (Ransomware tracker, Feodo tracker)

| 24 RBLs in Academia: a Method to Assert RBL Confidence

Partial list of academic studies and citations of RBLs that report to DAAR

• Rotten Apples or Bad Harvest? What We Are Measuring When We Are Measuring Abuse • Reputation Metrics Design to Improve Intermediary Incentives for Security of TLDs • Empirically Characterizing Domain Abuse and the Revenue Impact of Blacklisting • Blacklist Ecosystem Analysis: Spanning Jan 2012 to Jun 2014 • Taster's Choice: A Comparative Analysis of Spam Feeds • Learning to Detect Malicious URLs • Understanding the Domain Registration Behavior of Spammers • The Statistical Analysis of DNS Abuse in gTLDs (SADAG) Report • Shades of grey: On the effectiveness of reputation-based blacklists • Click Trajectories: End-to-End Analysis of the Spam Value Chain

| 25 • The ICANN Governmental Advisory Committee (GAC) expressed interest in spam domains as a security threat in its Hyderabad correspondence to the ICANN Board of Directors… Why? Because

Why Is • Most spam are sent via illegal or duplicitous means (e.g., via botnets). DAAR • Spam is no longer singularly associated with email • Link spam, , tweet spam, messaging (text/SMS) • Spam is a major means of delivery for other security threats • Spam has evolved to a (cloud) service: Avalanche, for Spam example, provided domain registrations to customers • DAAR mainly measures domain names found in the bodies of Domains? spam messages • MOST IMPORTANTLY, spam domain reputation influences how extensively or aggressively security or email administrators apply filtering

| 26 How is DAAR Data Useful?

| 27 Overall Abuse Distribution in DAAR Data (January 2019)

28 | 28 Distribution of Domains in gTLDs

Resolved Abused

29 | 29 Distribution of Domains with Different Abuse Types in gTLDs

30 | 30 Project Status

| 31 Project Status

The OCTO Security, Stability & Resiliency (SSR) team

§ Put DAAR methodology for public review and input § Reviewed all the reviews and comments received § Published SSR responses to DAAR comments on 1 February 2019

| 32 Project Status

§ Published the first series of the DAAR monthly reports

§ ICANN published the first monthly report from the DAAR system in February 2019 § The reports contain aggregated and anonymous descriptive statistics and trend analysis on abuse concentrations in gTLDs § Monthly reports published through March 2019 including historical data from January 2018

\

| 33 DAAR & the Open Data Program

§ The data has already enabled constructive and data driven discussions with industry members

§ Open Data Program aims to facilitate access to data that ICANN organization or community creates or curates

§ In cases where licensing permits, DAAR data or reports will be published and included in the Open Data Program

| 34 Project Next Steps

§ Data publication into the Open Data Program

§ Improving the system based on comments and reviews

§ New metrics and analytics based on DAAR

§ Discussion with registries who are interested in viewing their own data

\

| 35 Challenges Ahead

§Registrar level metrics §WHOIS data collection is hard to scale and has inaccuracies

§ccTLD level metrics §Lack global ccTLD zone file access

\

| 36 Where do We Want to Go from Here?

| 37 Measuring Abuse

§ We are always open to discussion on improvements or other ways the data can be used to help inform discussions around DNS abuse

§ If you are a ccTLD and would like to input zone files and use the DAAR data, please contact us

\

| 38 Discussions on DNS Abuse next month

\ 12-13 May 2019

https://www.icann.org/ids | 39 Questions?

Thank You Contact Info: [email protected] [email protected]

@icann

facebook.com/icannorg

youtube.com/icannnews

flickr.com/icann

linkedin/company/icann

slideshare/icannpresentations

soundcloud/icann

| 40